About the Cyber Project
Forty years ago, an interdisciplinary group of Harvard scholars – professors, researchers and practitioners – came together to tackle the greatest threat of the Cold War: the fear of a nuclear exchange between the Soviet Union and the United States. Today, we seek to recreate that interdisciplinary approach to
tackle a new threat: the risk of conflict in cyberspace. The problems that confront today’s leaders are substantial and diverse: how to protect a nation’s most critical infrastructure from cyberattack; how to organize, train, and equip a military force to prevail in the event of future conflict in cyberspace; how to deter nation-state and terrorist adversaries from conducting attacks in cyberspace; how to control
escalation in the event of a conflict in cyberspace; and how to leverage legal and policy instruments to reduce the national attack surface without stifling innovation. These are just a sample of the motivating questions that drive our work. The aim of the Belfer Center’s Cyber Project is to become the premier home for rigorous and policy-relevant study of these and related questions.
When we first broached the definition of Cyber Power in 2020 and issued the National Cyber Power Index in the same year, governmental dependency and use of the internet and digital technologies to achieve
national objectives was well known but not effectively catalogued. Neither was the relationship to national power well understood. The popularised concept of cyber power at the state level was piecemeal and contested, primarily focusing on destructive capabilities and on a handful of states.
At the same time, the COVID-19 pandemic was exacerbating the cyber risks that governments, infrastructure, businesses, and remote dispersed workforces face.
Our holistic definition of cyber power and the accompanying index contributed to the global debate, providing a starting point and structure for future thinking on a broader grouping of who has cyber power and what national objectives they seek to achieve via cyber means. The first National Cyber Power Index in 2020 extended the scope of the conversation from 5 to 30 states, from one or two objectives to eight.
Debates on cyber power have influenced some governments to take a more considered approach to measuring their own cyber capabilities and stimulated a deeper exploration of the scope and application of cyber power.
Our intention is to underline the importance of understanding cyber power holistically, that its impacts are more broad reaching than immediate national security concerns, that harnessing it requires a wholeof- nation approach, and that cyber capabilities are but one tool in a state’s toolkit. This broader definition is the prism through which governments across the world are channelling their resources to achieve national objectives, and through which a cornerstone of international engagement should be understood and shaped. Understanding the evolution of states and their respective cyber power will remain fundamental for policymakers and geopolitics for the foreseeable future. The National
Cyber Power Index team will continue to revisit and measure cyber power as it evolves.
Since we published the inaugural National Cyber Power Index (NCPI) in Fall 2020 the discussion on cyber power – including its scope and utility – has continued unabated. Its importance is undeniable with governments across the world prioritizing the development of multifaceted capabilities and releasing new cyber strategies outlining how at international, national, and local levels they intend to harness their domestic capabilities to develop their cyber power to achieve the eight objectives we first highlighted two years ago.
Whilst governments have been developing holistic policy on developing and using cyber power over the past two years, we have witnessed a slew of significant cyberattacks including Solarwinds, Microsoft Exchange, Colonial Pipeline, JBS and more recently the use of cyberattacks as one of many tools deployed in Russia’s attack on Ukraine. Not only has the number of large-scale ransomware attacks risen in the past two years, but we’ve also seen an increase in the use of digital supply chains as a vector for cyberattacks. The more connected and integrated we become, the more attractive cyberattacks will be for criminals and states. States need to enhance their cyber power to protect their interests.
To best understand the actions of states and national power today, it is useful to conceptualize cyber power as composed of the eight objectives that states will attempt to achieve in and through cyberspace. States seek to not only destroy and disable an adversary’s infrastructure and capabilities (the traditional, but narrow and misleading, perception of cyber power), but also to strengthen and enhance national cyber defences, gather intelligence in other countries, grow national cyber and commercial technology competence, control and manipulate the information environment, and to extend their influence through defining international cyber norms and technical standards. Cyber power should be considered in the context of a state’s national objectives and governments should, and increasingly are, taking a whole-of-nation approach when attempting to harness it.
This 2022 Index provides a refreshed measurement of 30 states’ cyber power through considering the indicators that contribute to both intent and capabilities.
We have used 29 capability indicators across eight objectives to measure capability and assessed national strategies for all states assessed, where available.
Belfer Center for Science and International Affairs | Harvard Kennedy School 3 The movements in state rankings reflect the data available to measure cyber power. We emphasize that any movements downwards are not a reflection that the state in question’s capabilities have decreased in absolute terms, in most cases it is because publicly available data has become available for other states which demonstrates both their capability and intent to pursue the national objectives through cyber means.
Our primary aim is to understand and track cyber power as an evolving interconnected set of policies and capabilities that span the breadth of a state’s activity. Our framework and the index are only a tip of the iceberg for understanding states intentions and capabilities in cyberspace. The academic and policy research space on cyber power and geopolitics is growing and we expect this field and the concept of cyber power to continue to evolve in the coming years.